书名：Mastering Windows Group Policy
作者名：Jordan Krause
本章字数：442字
更新时间：2021-06-10 18:47:55

Using the newest GPMC

Our test lab is running brand-new instances of the latest Windows 10 and Server 2016, so we have no concerns about old technology or outdated consoles. However, in production environments, there are almost always old pieces of equipment still being used. This seems to be particularly true with DCs. Many administrators make their Group Policy changes by using GPMC on their DCs, because that is where GPOs live and it makes some common sense to use DCs as centralized points of administration. We already covered the reasons why this isn't a best practice, but alas it is simply the way things are in many organizations.

The rub comes in because, for numerous reasons, it seems like DCs are always the last servers to get updated to the newest operating systems. Or at least your PDC Emulator. I have witnessed domains consisting of literally hundreds of DCs all track back to a PDC that is still running Server 2008 R2. I have also seen networks where brand-new Server 2016 DCs were still happily running right alongside Server 2003 DCs.

I cover all of this to simply say that Group Policy administration should always be done from the newest platform that you have available to you. If you don't have any Windows Server 2016 servers, it should at least be easy enough for you to gain access to a Windows 10 computer where you can then install the RSAT tools (see Chapter 2, Group Policy Management Console (GPMC)). The reason you want to be running a newer operating system is that GPMC has included updates as the years have progressed and new features have been released. Within the same domain, opening GPMC on a Server 2008 R2 and opening it side by side on a Server 2016 will result in there being different options and functionality between the two. Most of what you will find is still exactly the same, but functionality introduced in the newer platforms will only be visible from the Server 2016 console.

There is also the chance that opening GPMC from an older platform will have "invisible" settings inside. If a colleague with Windows 10 adds a setting to a GPO that is related to a brand-new feature, and then you open GPMC from a Server 2008 and navigate to that same GPO, you simply will not see the setting that is contained inside that GPO. The setting is there, but the older GPMC is unable to display it to you, and you have no idea that it exists.

Long story short—always run GPMC on the newest operating system that exists in your environment.